check in kubernetes certifactes as well

verify local cert

s_client

$ openssl s_client -state -msg -connect domain.sample.com:443

with cert debug

$ openssl s_client -state \
                   -debug \
                   -connect domain.sample.com:443 \
                   -cert domain.sample.com-server.crt \
                   -key domain.sample.com-server.key \

curl

$ curl -vvv \
       [--cacert server.crt \]
       https://domain.sample.com:443/artifactory
  • or
    $ curl -vvv \
       -i \
       -L \
       [--cacert server.crt \] \
       https://domain.sample.com:443/artifactory

openssl

get crt information

  • ca.crt

    $ openssl verify ca.crt
    • or
      $ openssl x509 -noout -text -in ca.crt

  • server.crt

    $ openssl x509 -inform PEM \
               -in server.crt \
               -text \
               -out certdata.pem

get csr information

$ openssl req -noout -text -in server.csr

java ssl

to add cert into Java for Java services (i.e.: Jenkins)

reference:

SSLPoke.java
// SSLPoke.java
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke {
  public static void main(String[] args) {
    if (args.length != 2) {
      System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
      System.exit(1);
    }
    try {
      SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
      SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

      SSLParameters sslparams = new SSLParameters();
      sslparams.setEndpointIdentificationAlgorithm("HTTPS");
      sslsocket.setSSLParameters(sslparams);

      InputStream in = sslsocket.getInputStream();
      OutputStream out = sslsocket.getOutputStream();

      // Write a test byte to get a reaction :)
      out.write(1);

      while (in.available() > 0) {
        System.out.print(in.read());
      }
      System.out.println("Successfully connected");

    } catch (Exception exception) {
        exception.printStackTrace();
        System.exit(1);
    }
  }
}
  • extract cert from server:
    $ openssl s_client -connect server:443
  • negative test cert/keytool:
    $ java SSLPoke server 443
    • you should get something like
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • import cert into default keytool:
    $ keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts

  • positive test cert / keytool:

    java SSLPoke server 443

// you should get this:
// Successfully connected

  • import certificate into your local TrustStore

    -Djavax.net.ssl.trustStore will override the default truststore (cacerts). copy the default one and then add cert and set it via -Djavax.net.ssl.trustStore so default CA won't be lost.

    $ keytool -import \
          -trustcacerts \
          -storepass changeit \
          -file "./class 1 root ca.cer" \
          -alias C1_ROOT_CA \
          -keystore ./LocalTrustStore

# use it in JAVA:
$ java -Djavax.net.ssl.trustStore=./LocalTrustStore -jar SSLPoke.jar $HOST $PORT

  • list expired date for all in cacerts

    $ keytool --list -v --keystore cacerts | grep "until:" | sed 's/^.*until: //'

InstallCert.java

reference:

compile first

$ javac InstallCert.java
  • Access server, and retrieve certificate (accept default certificate 1)
    $ java InstallCert [host]:[port]
  • Extract certificate from created jssecacerts keystore
    $ keytool -exportcert -alias [host]-1 -keystore jssecacerts -storepass changeit -file [host].cer
  • Import certificate into system keystore
    $ keytool -importcert -alias [host] -keystore [path to system keystore] -storepass changeit -file [host].cer

verify remote cert

reference:

openssl & s_client

$ openssl s_client -showcerts -connect www.domain.com:443

  • or

    $ openssl s_client -showcerts \
                   -starttls imap \
                   -connect www.domain.com:443
CONNECTED(00000005)

  • or using local client cert for debug purpose

    $ openssl s_client -showcerts \
                   -cert cert.cer \
                   -key cert.key \
                   -connect www.domain.com:443

  • or

     $ openssl s_client -connect www.domain.com:443 |
   openssl x509 -text -noout |
   grep -A 1 -i key

  • or use specify acceptable ciphers for ssl handshake

    $ openssl s_client -showcerts \
                   -cipher DHE-RSA-AES256-SHA \
                   -connect www.domain.com:443

  • or get enddate only

    $ echo | openssl s_client \
                 -connect www.domain.com:443 2>/dev/null |
         openssl x509 -noout -enddate
notAfter=Nov 28 23:59:59 2020 GMT

verify certs

$ echo | openssl s_client -showcerts \
                          -servername www.domain.com \
                          -connect www.domain.com:443 2>/dev/null |
         openssl x509 -inform pem -noout -text
  • get ssl only
    $ echo | openssl s_client -showcerts \
                          -connect www.domain.com:443 2>/dev/null |
                          sed -n '/BEGIN.*-/,/END.*-/p'

curl

$ curl -vvI https://www.domain.com
  • print ssl only
    $ curl --insecure \
       -vvI https://www.domain.com 2>&1 |
  awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'

keytool

$ keytool -printcert -sslserver www.domain.com:443

nmap

$ nmap -p 443 --script ssl-cert www.domain.com [-v]
Copyright © marslo 2020-2023 all right reserved,powered by GitbookLast Modified: 2024-03-27 16:56:10

results matching ""

    No results matching ""